While a statement from Natural Grocers said the company has not received “reports of any fraudulent use of payment cards from any customer, credit card brand or financial institution," Brian Krebs has reported that sources in the financial industry detected a pattern of payment card fraud that indicates unauthorized access to the point-of-sale (POS) systems at some of the grocery chain's locations, which led to the distribution of malware.
According to Krebs, Natural Grocers spokespersons have said the company is looking into “a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data.”
That the company “can firmly state what kind of data was not stolen, because they simply do not gather it, is strong evidence of one of the emerging truths of cybersecurity: if you keep something, someone will test your defenses, and if they aren't perfect, they'll take whatever you kept,” said Dr. Mike Lloyd, CTO at RedSeal, in a statement sent to SCMagazine.com. “As a result, the new rules say don't keep it if you don't need it.”
Only those companies that know “how their business processes really work can hope to successfully defend themselves, and vigilance is essential,” said Lloyd, noting that “humans don't do this well” and making a plea for automated testing. “If you can find the weaknesses before the bad guys come looking, you can hope to stay ahead.”
Natural Grocers told Krebs that it's pushing up its efforts to upgrade POS systems in all of its 93 locations in 15 states to be PCI compliant. The new systems not only will offer point-to-point encryption but will also support chip and PIN payment cards, which, the company said in the statement to Krebs, will “provide multiple layers of protection for cardholder data.”